Malware (such as viruses, Trojan horses, and other malicious content) are becoming more and more prevalent. The traditional approaches of constructing signatures to identify these threats is becoming more and more difficult given the rate at which new variants of malware are emerging. The challenge associated with using the signature-based methods is that the problem of “looking for bad” is an unbounded one. The approach is always behind the latest, and most dangerous, threats. An additional issue is that these approaches often create a lot of “noise” in the form of false positive identification of benign content without providing any actionable insight into the potential issue to allow an individual tasked with securing the organization to be able to make an informed decision.
One way to help minimize the number of false positive identification of benign content is by using an electronic sandbox, as shown in FIG. 1. When electronic file 105 is received by the system, for example over network 110, the file can be placed in electronic sandbox 115. Electronic sandbox 115, as its name suggests, is an appliance that can open electronic file 105 in total isolation. Electronic sandbox 115 can be a computer system that is physically isolated (or isolated as completely as possible) from any intranet, so as to prevent the migration of any malicious code. Alternatively, electronic sandbox 115 can be a virtual environment in a computer system, ideally isolated from any other environments on the same computer system (or other networked computer systems).
Once electronic file 105 is opened in electronic sandbox 115, key criteria of the operating system of electronic sandbox 115 can be monitored to look for any suspicious behavior that might suggest the file is infected with a malicious code. Such behavior could include, but is not limited to, trying to access the internet, changing registry settings, or attempting to elevate the user privileges.
By using electronic sandbox 115, the dangerous effects of any malicious code in electronic file 105 are strictly confined to the sandbox environment, which is typically discarded for a fresh instance of the environment when the next file is processed. If opening electronic file 105 in electronic sandbox 115 does not demonstrate the presence of any malicious code, then electronic file 105 is likely not a threat, and can be delivered to user 120. On the other hand, if the opening of electronic file 105 in electronic sandbox 115 demonstrates the presence of malicious code, then electronic file 105 can be placed in quarantine 125 until either electronic file 105 can be cleansed somehow of the malicious code, or electronic file 105 is deleted.
The problem with using electronic sandbox 115 in this manner is that it requires considerable overhead to maintain electronic sandbox 115 and to monitor electronic sandbox to determine if electronic file 105 contains malicious code. In addition, monitoring electronic file 105 within electronic sandbox 115 adds considerable latency to the delivery of electronic file 105 to the user. Finally, attackers are aware of the use of electronic sandbox 115. By delaying the activation time of their malicious code until after the inspection time of electronic sandbox 115, the observation of electronic sandbox 115 might fail to detect the malicious code. As a result, electronic file 105 might be delivered to user 120 as safe, even though it contains malicious code.
Embodiments of the invention address this and other problems with the prior art.